* [PATCH 1/2] soc: xilinx: Fix race condition in event registration
@ 2026-03-17 13:35 Prasanna Kumar T S M
[not found] ` <20260317143643.1329013-1-ptsm@linux.microsoft.com>
0 siblings, 1 reply; 4+ messages in thread
From: Prasanna Kumar T S M @ 2026-03-17 13:35 UTC (permalink / raw)
To: ptsm, michal.simek, jay.buddhabhatti, marco.crivellari,
tejas.patel, rajan.vaja, linux-arm-kernel, linux-kernel
The zynqmp_power driver registers handlers for suspend and subsystem
restart events using register_event(). However, the work structures
(zynqmp_pm_init_suspend_work and zynqmp_pm_init_restart_work) used by
these handlers were allocated and initialized after the registration
call.
This created a race window where, if the firmware triggered an event
immediately after registration but before allocation, the callback
(suspend_event_callback or subsystem_restart_event_callback) would
dereference a NULL pointer in work_pending(), leading to a crash.
Fix this by allocating and initializing the work structures before
registering the events.
Fixes: fcf544ac6439 ("soc: xilinx: Add cb event for subsystem restart")
Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
---
drivers/soc/xilinx/zynqmp_power.c | 34 +++++++++++++++----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
index 9085db1b480a..aa35b63b45a3 100644
--- a/drivers/soc/xilinx/zynqmp_power.c
+++ b/drivers/soc/xilinx/zynqmp_power.c
@@ -303,18 +303,18 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
* is not available to use) or -ENODEV(Xilinx Event Manager not compiled),
* then use ipi-mailbox or interrupt method.
*/
+ zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
+ sizeof(struct zynqmp_pm_work_struct),
+ GFP_KERNEL);
+ if (!zynqmp_pm_init_suspend_work)
+ return -ENOMEM;
+
+ INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
+ zynqmp_pm_init_suspend_work_fn);
+
ret = register_event(&pdev->dev, PM_INIT_SUSPEND_CB, 0, 0, false,
suspend_event_callback);
if (!ret) {
- zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
- sizeof(struct zynqmp_pm_work_struct),
- GFP_KERNEL);
- if (!zynqmp_pm_init_suspend_work)
- return -ENOMEM;
-
- INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
- zynqmp_pm_init_suspend_work_fn);
-
ret = zynqmp_pm_get_family_info(&pm_family_code);
if (ret < 0)
return ret;
@@ -326,14 +326,6 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
else
return -ENODEV;
- ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
- false, subsystem_restart_event_callback);
- if (ret) {
- dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
- ret);
- return ret;
- }
-
zynqmp_pm_init_restart_work = devm_kzalloc(&pdev->dev,
sizeof(struct zynqmp_pm_work_struct),
GFP_KERNEL);
@@ -342,6 +334,14 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
INIT_WORK(&zynqmp_pm_init_restart_work->callback_work,
zynqmp_pm_subsystem_restart_work_fn);
+
+ ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
+ false, subsystem_restart_event_callback);
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
+ ret);
+ return ret;
+ }
} else if (ret != -EACCES && ret != -ENODEV) {
dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n", ret);
return ret;
--
2.49.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] soc: xilinx: Fix race condition in event registration
[not found] <20260317133451.1324251-1-ptsm@linux.microsoft.com>
@ 2026-03-18 15:40 ` Michal Simek
0 siblings, 0 replies; 4+ messages in thread
From: Michal Simek @ 2026-03-18 15:40 UTC (permalink / raw)
To: Prasanna Kumar T S M, jay.buddhabhatti, marco.crivellari,
tejas.patel, rajan.vaja, linux-arm-kernel, linux-kernel
On 3/17/26 14:34, Prasanna Kumar T S M wrote:
> [Some people who received this message don't often get email from ptsm@linux.microsoft.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> The zynqmp_power driver registers handlers for suspend and subsystem
> restart events using register_event(). However, the work structures
> (zynqmp_pm_init_suspend_work and zynqmp_pm_init_restart_work) used by
> these handlers were allocated and initialized after the registration
> call.
>
> This created a race window where, if the firmware triggered an event
> immediately after registration but before allocation, the callback
> (suspend_event_callback or subsystem_restart_event_callback) would
> dereference a NULL pointer in work_pending(), leading to a crash.
>
> Fix this by allocating and initializing the work structures before
> registering the events.
>
> Fixes: fcf544ac6439 ("soc: xilinx: Add cb event for subsystem restart")
>
please remove empty line above.
> Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
> ---
> drivers/soc/xilinx/zynqmp_power.c | 34 +++++++++++++++----------------
> 1 file changed, 17 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
> index 9085db1b480a..aa35b63b45a3 100644
> --- a/drivers/soc/xilinx/zynqmp_power.c
> +++ b/drivers/soc/xilinx/zynqmp_power.c
> @@ -303,18 +303,18 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
> * is not available to use) or -ENODEV(Xilinx Event Manager not compiled),
> * then use ipi-mailbox or interrupt method.
> */
> + zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
> + sizeof(struct zynqmp_pm_work_struct),
> + GFP_KERNEL);
> + if (!zynqmp_pm_init_suspend_work)
> + return -ENOMEM;
> +
> + INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
> + zynqmp_pm_init_suspend_work_fn);
> +
> ret = register_event(&pdev->dev, PM_INIT_SUSPEND_CB, 0, 0, false,
> suspend_event_callback);
> if (!ret) {
> - zynqmp_pm_init_suspend_work = devm_kzalloc(&pdev->dev,
> - sizeof(struct zynqmp_pm_work_struct),
> - GFP_KERNEL);
> - if (!zynqmp_pm_init_suspend_work)
> - return -ENOMEM;
> -
> - INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
> - zynqmp_pm_init_suspend_work_fn);
> -
> ret = zynqmp_pm_get_family_info(&pm_family_code);
> if (ret < 0)
> return ret;
> @@ -326,14 +326,6 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
> else
> return -ENODEV;
>
> - ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
> - false, subsystem_restart_event_callback);
> - if (ret) {
> - dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
> - ret);
> - return ret;
> - }
> -
> zynqmp_pm_init_restart_work = devm_kzalloc(&pdev->dev,
> sizeof(struct zynqmp_pm_work_struct),
> GFP_KERNEL);
> @@ -342,6 +334,14 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
>
> INIT_WORK(&zynqmp_pm_init_restart_work->callback_work,
> zynqmp_pm_subsystem_restart_work_fn);
> +
> + ret = register_event(&pdev->dev, PM_NOTIFY_CB, node_id, EVENT_SUBSYSTEM_RESTART,
> + false, subsystem_restart_event_callback);
> + if (ret) {
> + dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n",
> + ret);
> + return ret;
> + }
> } else if (ret != -EACCES && ret != -ENODEV) {
> dev_err(&pdev->dev, "Failed to Register with Xilinx Event manager %d\n", ret);
> return ret;
> --
> 2.49.0
>
the same change should happen also for
else if (of_property_present(pdev->dev.of_node, "mboxes")) {
diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
index 5086c1e6797e..98bac07f73d1 100644
--- a/drivers/soc/xilinx/zynqmp_power.c
+++ b/drivers/soc/xilinx/zynqmp_power.c
@@ -346,15 +346,6 @@ static int zynqmp_pm_probe(struct platform_device *pdev)
dev_err(&pdev->dev, "Failed to Register with Xilinx Event
manager %d\n", ret);
return ret;
} else if (of_property_present(pdev->dev.of_node, "mboxes")) {
- zynqmp_pm_init_suspend_work =
- devm_kzalloc(&pdev->dev,
- sizeof(struct zynqmp_pm_work_struct),
- GFP_KERNEL);
- if (!zynqmp_pm_init_suspend_work)
- return -ENOMEM;
-
- INIT_WORK(&zynqmp_pm_init_suspend_work->callback_work,
- zynqmp_pm_init_suspend_work_fn);
client = devm_kzalloc(&pdev->dev, sizeof(*client), GFP_KERNEL);
if (!client)
return -ENOMEM;
Thanks,
Michal
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel
[not found] ` <20260317143643.1329013-1-ptsm@linux.microsoft.com>
@ 2026-03-18 16:06 ` Michal Simek
2026-03-20 6:06 ` Prasanna Kumar T S M
0 siblings, 1 reply; 4+ messages in thread
From: Michal Simek @ 2026-03-18 16:06 UTC (permalink / raw)
To: Prasanna Kumar T S M, jay.buddhabhatti, marco.crivellari,
tejas.patel, rajan.vaja, linux-arm-kernel, linux-kernel
On 3/17/26 15:36, Prasanna Kumar T S M wrote:
> [Some people who received this message don't often get email from ptsm@linux.microsoft.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> A mbox rx channel is requested using mbox_request_channel_byname() in
> probe. In remove callback, the rx mailbox channel is cleaned up when the
> rx_chan is NULL due to incorrect condition check. The mailbox channel is
> not shutdown and it can receive messages even after the device removal.
> This leads to use after free. Also the channel resources are not freed.
> Fix this by checking the rx_chan correctly.
>
> Fixes: ffdbae28d9d1 ("drivers: soc: xilinx: Use mailbox IPI callback")
> Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
> ---
> drivers/soc/xilinx/zynqmp_power.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/zynqmp_power.c
> index aa35b63b45a3..5086c1e6797e 100644
> --- a/drivers/soc/xilinx/zynqmp_power.c
> +++ b/drivers/soc/xilinx/zynqmp_power.c
> @@ -398,7 +398,7 @@ static void zynqmp_pm_remove(struct platform_device *pdev)
> {
> sysfs_remove_file(&pdev->dev.kobj, &dev_attr_suspend_mode.attr);
>
> - if (!rx_chan)
> + if (rx_chan)
> mbox_free_channel(rx_chan);
Please also clear that global variable because when the driver is re-bound there
will be old reference to rx_chan which shouldn't be there.
if (rx_chan) {
mbox_free_channel(rx_chan);
rx_chan = NULL;
}
And please send both patches as one thread.
Thanks,
Michal
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel
2026-03-18 16:06 ` [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel Michal Simek
@ 2026-03-20 6:06 ` Prasanna Kumar T S M
0 siblings, 0 replies; 4+ messages in thread
From: Prasanna Kumar T S M @ 2026-03-20 6:06 UTC (permalink / raw)
To: Michal Simek, jay.buddhabhatti, marco.crivellari, tejas.patel,
rajan.vaja, linux-arm-kernel, linux-kernel
On 18-03-2026 21:36, Michal Simek wrote:
>
>
> On 3/17/26 15:36, Prasanna Kumar T S M wrote:
>> [Some people who received this message don't often get email from
>> ptsm@linux.microsoft.com. Learn why this is important at https://
>> aka.ms/LearnAboutSenderIdentification ]
>>
>> A mbox rx channel is requested using mbox_request_channel_byname() in
>> probe. In remove callback, the rx mailbox channel is cleaned up when the
>> rx_chan is NULL due to incorrect condition check. The mailbox channel is
>> not shutdown and it can receive messages even after the device removal.
>> This leads to use after free. Also the channel resources are not freed.
>> Fix this by checking the rx_chan correctly.
>>
>> Fixes: ffdbae28d9d1 ("drivers: soc: xilinx: Use mailbox IPI callback")
>> Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
>> ---
>> drivers/soc/xilinx/zynqmp_power.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/soc/xilinx/zynqmp_power.c b/drivers/soc/xilinx/
>> zynqmp_power.c
>> index aa35b63b45a3..5086c1e6797e 100644
>> --- a/drivers/soc/xilinx/zynqmp_power.c
>> +++ b/drivers/soc/xilinx/zynqmp_power.c
>> @@ -398,7 +398,7 @@ static void zynqmp_pm_remove(struct
>> platform_device *pdev)
>> {
>> sysfs_remove_file(&pdev->dev.kobj, &dev_attr_suspend_mode.attr);
>>
>> - if (!rx_chan)
>> + if (rx_chan)
>> mbox_free_channel(rx_chan);
>
>
> Please also clear that global variable because when the driver is re-
> bound there will be old reference to rx_chan which shouldn't be there.
>
> if (rx_chan) {
> mbox_free_channel(rx_chan);
> rx_chan = NULL;
> }
>
> And please send both patches as one thread.
>
> Thanks,
> Michal
Hi Michal,
Thanks for the review. Sent v2.
Thanks,
Prasanna
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-20 6:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-17 13:35 [PATCH 1/2] soc: xilinx: Fix race condition in event registration Prasanna Kumar T S M
[not found] ` <20260317143643.1329013-1-ptsm@linux.microsoft.com>
2026-03-18 16:06 ` [PATCH 2/2] soc: xilinx: Shutdown and free rx mailbox channel Michal Simek
2026-03-20 6:06 ` Prasanna Kumar T S M
[not found] <20260317133451.1324251-1-ptsm@linux.microsoft.com>
2026-03-18 15:40 ` [PATCH 1/2] soc: xilinx: Fix race condition in event registration Michal Simek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox